Termin:Chaotic-Congress-Cinema-28C3 Nr. 22

Needs to be there, but does not need to be seen by a visitor Yes

Wir schauen uns die Aufzeichnung von Congress-Vorträgen an. Du bist herzlich eingeladen, in den Clubräumen im Mexikoring 21 aufzutauchen und mit uns die Talks anzuschauen und zu diskutieren. Es wird Getränke und Knabberkram zu moderaten Preisen geben. Falls Du kein CCC-, CCCHH- oder Attraktor e.V.-Mitglied bist, macht das überhaupt nichts: Alle Gäste sind gern gesehen. :-)

Weitere Informationen unter Chaotic Congress Cinema.

ChokePointProject - Quis custodiet ipsos custodes?

Aggregating and Visualizing (lack of) Transparancy Data in near- realtime

The object of the lecture is to present and discuss the chokepointproject. How it (will) attempt(s) to aggregate and visualize near-realtime global internetwork data and augment this visualisation with legislative, commercial(ownership) and circumvention information.

The goals of the project are as follows:

1. . Provide a global early warning system against governmental or

  commercial abuse of internetworking systems in regards to civil and
  human rights.

1. . Enforce transparency by aggregating commercial ownership

  information.

1. . Enforce transparency by aggregating legislative information,

  including voting histories.

1. . Enable lobbyist to influence legislators by providing reliable,

  verifiable data.

1. . Provide a public database with near real-time network monitoring

  data for general use.

1. . Provide up to date circumvention methodologies, their relative

  legal status and their potential risks.

The chokepointproject currently consists of two elements :

1. . A frontend and public database,
2. . An intended globally distributed network monitoring data collection

  system.

The frontend intends to provide an easily understandable visualisation of aggregated and processed data-sources. The data-sources intend to provide the following information:

1. . A per country detailed description of: 1a. Network ownership (by IP

  block and route) 1b. Legislative information such as Which relevant
  laws are currently active. Who has voted for them (supposing voting
  was a part of the process). Which relevant laws are currently under
  review or being proposed. Who are proposing/drafting these laws. 1c.
  What circumvention methods are currently available for specific
  problems.

1. . Near real-time network status vitalisations such as, but not

  restricted to 2a. Connectivity of geographic clusters, > 2b.
  Manipulation of connectivity such as: 2b.1. Traffic shaping, 2b.2.
  Content filtering, 2b.3. Blackouts.< p>

The intended globally distributed network monitoring data collection system would provide an independent and publicly available dataset. I do not intend to discuss this in depth. The focus of this lecture is supposed to be the front-end and the aggregation of already publicly available data sources, and the supposed benefit to improving civil rights everywhere and protecting them in those places where their functional effectiveness is under threat.

• Pentabarf: <http://events.ccc.de/congress/2011/Fahrplan/events/4760.en.html>
• Video: <http://ftp.ccc.de/congress/28C3/mp4-h264-HQ/28c3-4760-en-chokepointproject_h264.mp4>

New Ways I'm Going to Hack Your Web App

Writing secure code is hard. Even when people do it basically right there are sometimes edge cases that can be exploited. Most the time writing code that works isn’t even the hard part, it’s keeping up with the changing attack techniques while still keeping an eye on all the old issues that can come back to bite you, straddling the ancient world of the 90’s RFCs and 2010’s HTML5 compatible browsers. A lot like how Indiana Jones bridges the ancient and the modern... Except for Indiana Jones 4. Let’s never talk about that again. Ever. Take Facebook, Office 365, Wordpress, Exchange, and Live. These are applications that had decent mitigations to standard threats, but they all had edge cases. Using a mix of old and new ingredients, we’ll provide a sampler plate of clickjacking protection bypasses, CSRF mitigation bypasses, "non-exploitable" XSS attacks that are suddenly exploitable and XML attacks where you can actually get a shell; and we'll talk about how to defend against these attacks.

The best description is probably via the slides linked below. We've put a lot of effort into these, and they have video clips making the slide deck pretty big (why we're linking to it and not attaching it).

• Pentabarf: <http://events.ccc.de/congress/2011/Fahrplan/events/4761.en.html>
• Video: <http://ftp.ccc.de/congress/28C3/mp4-h264-HQ/28c3-4761-en-new_ways_im_going_to_hack_your_web_app_h264.mp4>